“Malware” is short for “malicious software”—computer programs designed to infiltrate and damage computers without the user's consent. Malware is an exponentially growing threat with hundreds of thousands of new instances reported weekly. One of the reasons is that packer technology, which involves wrapping existing malware and encrypting the malware to disguise the contents of the malicious files, gives the malware the ability to multiply into different samples. This results in potentially thousands of different malware variations, in which underneath is the same malware. This is shown, for example, in FIG. 1, where a single malware 1a, 1b and 1c, has multiplied, for example, via packer technology, into numerous variations 2a, 2b, 2c. 
Advanced Persistent Threat (APT) attacks, which include malware, are another type of threat faced by networks of organizations and enterprises. Other advanced malwares are used to access or extract data from a specific network resource in a specific organization. This network resource may be, for example, a privileged or a sensitive server, or a control system for an industrial machine—e.g., supervisory control and data acquisition (SCADA).
Contemporary security products, including cyber security prevention products, handle attacks, such as APT, cyber, advanced malware and targeted attacks, by analyzing signatures. This analysis involves comparisons of signatures of known threats, for example, memory signatures, file system signatures, network signatures or other type of signatures. Other comparisons of known threats are done by comparing reputations of threats, such as by behavior analysis.
Other security/cyber security products supply behavior forensic ability in real time or after an incident. These products are typically implemented at a network level or on endpoints (agent based solutions). Some vendors are combining these two abilities.
However, most of these contemporary security systems take same general approach in their attempt to prevent malware attacks. The malware is first detected and then analyzed, with subsequent preventative action.
Still, security systems can not guarantee absolute protection from malware, APTs (Advanced Persistent Threats) and targeted attacks. This is because most of the common malware uses a set of evasion techniques to avoid and prevent accurate analysis of the malware for detection. These evasion techniques prevent security-analysis software detecting the malware and analyzing its origin, for example, in a virtualized environment, commonly referred to as a ‘Sandbox’. Other malware uses evasion techniques to detect the presence of security software, and once detected, refrain from execution at the endpoint with the security software, to avoid detection by it.
Reference is now made to FIG. 2 and FIG. 3, which detail an example of an evasion technique used by advanced malware. FIG. 2 shows a typical internal network 20, for example, of an enterprise, also known as an “enterprise network,” which is linked to an external network 10. The external network 10 is, for example, a wide area or public network, such as the Internet.
The internal network 20 includes, for example, a DMZ (demilitarized zone) area 21 and a secondary area 22. The DMZ area 21, typically includes gateways, security systems, such as “sandboxes,” next generation IPS, represented by the endpoint 24. The DMZ area 21 is a semi-secure segment of the internal or enterprise network 20. A DMZ area is typically used to provide to outside users access to corporate resources, because these users are not allowed to reach inside servers directly, these inside machines, defining the endpoints 26. The secondary area 22 of the internal network 20, includes endpoints 26. Typical endpoints include networked user computers, and other computer type devices.
In a typical network, the DMZ area 21 acts as a gateway to the internal network 20, in order to detect malware, as the malware attempts to penetrate the enterprise or internal network 20.
Since targeted attacks mostly aim to be able to extract information and/or persistently control resources at the victim environment/network, targeted attacks use advanced malware with persistent and evasion techniques as described above. This malware usually attempts to distribute itself to other network resources, such as servers and workstations over the network of an enterprise, until it reaches a less protected endpoint 26, assumed to be beyond the DMZ Area 21, i.e., within the secondary area 22 of the internal network 20, thus, bypassing the enterprise's security protection mechanisms in the DMZ area 21. After bypassing the enterprise's security protection mechanisms and ‘finding’ a less secured victim machine or network environment, the malware then executes the attack and spreads mutant variations over the internal network 20. The malware has now become a persistent threat or APT, which can significantly damage the enterprise's network and machines thereon.
For example, targeted attacks use advanced malware with evasion techniques, which are able to detect security systems (such as sandbox). Upon detection, the malware refrains from executing, in order to avoid being detected by the security system.
FIG. 3 shows a process of a malware attack, for example, on the internal network 20. The malware reaches the internal network 20 via the external network 10. The malware arrives in the DMZ area 21, at the gateway of an enterprise or internal network 20, represented by the endpoint 24, at block 30. Also at block 30, the malware then identifies the presence of the security system, for example, a Sandbox machine, also represented by the endpoint 24. Moving to block 31, the malware executes non-suspicious code that attempts to detect the presence of security systems' common behavior. This common behavior includes, for example, the existence of Virtual Machine (VM) processes/services, which are common behaviors of Sandbox technology, that use multiple virtual machines to run file analysis in an isolated environment looking for suspicious behavior (anomaly).
If the malware detects such process/service, the process moves to block 32, as a security environment has been detected. The process then moves to block 33, where the malware refrains from execution to avoid detection and waits until it gets to its next-hop, e.g., the next network node, for example, an endpoint 26 in the secondary area 22, or alternately, destroys itself (self destruction). This self destruction typically happens when malware injected to the endpoint 26, was not applied from the external network, but from physical access to the endpoint via removable media, the access having be obtained using social engineering. In this case, the process is over, as the malware self destructed. Should the malware have moved to its next network hop, the process returns to block 31, from where it resumes.
From block 31, should the malware not have detected a security process/service, the process moves to block 34, where the malware continues to look for a potential target. With a target found, the malware executes, at block 35. Most of the ‘deadliest’ targeted malware attacks use this described attack concept of FIG. 3.